NSA Won't Jettison Contractors, Yet

The director of the National Security Agency declined to say that the electronic spy agency would stop using contractors in top secret IT positions to prevent a leak such as the one that exposed NSA programs to collect metadata on U.S. citizens.

Gen. Keith Alexander also announced at a Senate hearing on June 12 that the Defense Department will examine the oversight mechanisms in place that are designed to prevent all individuals with top secret clearances, not just contractors, from accessing information they're not entitled to see.

Responding to a question on whether the NSA should stop using contractors in sensitive positions, Gen. Keith Alexander said, "I'm not prepared to make that statement, yet."

The question was raised by Sen. John Boozman, R-Ark., because Edward Snowden, a 29-year-old systems administrator with top secret clearance working for government contractor Booz Allen Hamilton, leaked details about two top secret programs to collect metadata about telephone calls and Internet activities in an attempt to identify terrorists [see NSA's Prism: Balancing Security, Privacy].

"There are good contractors out there who are doing a good job," Alexander said during the Senate Appropriations Committee hearing.

The Role of Contractors

The federal government relies heavily on contractors in many fields because it doesn't have the expertise on staff to meet its needs; that's especially true in information technology and information security. Contractors go through the same security clearance process as do federal employees, and they take the same oath not to disclose government and military secrets. "Their paychecks just come from two different sources," Evan Lesser, managing director of the jobs website Clearancejobs.com, tells Information Security Media Group.

Lesser points out that Army Pfc. Bradley Manning, on trial for disclosing one-quarter million sensitive and secret diplomatic cables to WikiLeaks, was a government employee, not a contractor. In vetting individuals for top secret security clearances, the government looks at their finances; foreign travel; and habits, such as drug and alcohol use and gambling, that could compromise them.

"From a clearance standpoint, there's not a whole lot in their background that is going to likely trip them up," Lesser says. "The younger you are, the easier it is to get a clearance because you have less baggage, less history. In the case of these two, it doesn't sound like there was anything in their past that would raise a red flag during the clearance process."

At the hearing, Alexander also dismissed Snowden's contention that the contractor could tap into virtually any American's phone calls or e-mail. "I know no way to do that," he said.

Lengthy Investigation Expected

The NSA director also cautioned that it would take considerable time for the Defense Department to examine the security mechanisms in place designed to prevent individuals with top secret clearances from accessing information they're not entitled to see. He said the investigation will look at procedures for when to encrypt data.

"I don't want to mislead you; this is a significant effort for the Defense Department," he said, adding that he has the backing of Defense Secretary Chuck Hagel and Joint Chiefs of Staff Chairman Gen. Martin Dempsey. "We're pushing this; this is the right way to go. I wish we could go back in time."

The federal government uses a variety of tools that could identify the activities of employees. Those include keylogging software and computer logs that pinpoint staff members' whereabouts and actions within federal IT systems and networks, sources familiar with the federal government's security clearance systems say. But having the tools in place - and not all tools are used by all agencies at all times - doesn't mean that the proper authorities are alerted in a timely manner to activities that could jeopardize the nation's security [see IT Tools Available to Stop NSA-Type Leaks].

Alexander, who also serves as commander of the U.S. Cyber Command, said the leak has caused great harm. "The consequence of this is that our security has been jeopardized," Alexander said. "There is no doubt in my mind that we will lose capabilities as a result of this, and not only the United States but those allies that we have helped will no longer be as safe as they were two weeks ago."

'Americans Will Die'

Alexander said the surveillance programs prevented dozens of possible terrorist events in the U.S. and abroad, but he declined to identify them for security reasons.

Because the programs have been disclosed, however, Alexander said it's incumbent for political and military leaders to explain the benefits of the programs to the American people. And he said the NSA will be transparent, within limits, disclosing some information about the programs, but not everything. "Some of these are still going to be classified and should be because if we tell the terrorists every way we're going to track them, they will get through and Americans will die."

About the Author

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.